Posted
by
timothy
on Sunday February 24, 2013 @09:22AM
from the ok-who-dropped-the-black-ball? dept.

Hugh Pickens writes "The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The 'Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff' is surprisingly detailed. Now as the College of Cardinals prepares to elect a new pope, security people like Bruce Schneier wonder about the process. How does it work, and just how hard would it be to hack the vote? First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky. Second, the small group of voters — all of whom know each other — makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you're ever going to find. A cardinal can't stuff ballots when he votes. Then the complicated paten-and-chalice ritual ensures that each cardinal votes once — his ballot is visible — and also keeps his hand out of the chalice holding the other votes. Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good."

Anyone who has had a group of friends vote on whether to eat Chinese or Italian knows that a group who all know each other can hold a secure vote immune from multiple votes or outsiders voting too. Its also obvious that this is not scalable beyond a group in which everyone does recognise everyone else

Elections for high office should always be completely verifiable, and the identity of those who cast their ballot should be without doubt. In my opinion, the verification process for very important positions should be automatic and involve multiple competing groups.

If the pope is the representative of god on earth, I am assuming that the cardinals are all praying to god for guidance, therefore there shouldn't be any competing groups, assuming that we can verify that god exists.

If the pope is the representative of god on earth, I am assuming that the cardinals are all praying to god for guidance, therefore there shouldn't be any competing groups, assuming that we can verify that god exists.

I assume this is why they are all looking over each others shoulders too - you wouldn't want to be the odd cardinal out who votes the wrong way, letting on that God isn't in fact guiding him at all!

To be honest though, I don't believe in God, but if one existed i'd fancy it would be the kind described on Futurama - only helping out when he's sure nobody is looking.

True, and the nature of their electoral process makes it instantly verifiable by all parties. Large elections with anonymous voting and close results can be the target of sophisticated election fraud.

In American presidential elections, I would like each vote to be anonymous but traceable. You randomly select a ballot that has a randomized code, and tear-off or write down the code. Then, no less than 3 groups should receive every vote (the official ballot counters and the two main parties, and any other groups who wants to tally the results). They would each post a website, or equivalent anonymous function, where you can enter your random code associated with your vote and check for yourself that your vote was transmitted properly (alerting each group when your vote appears incorrect). Then each group would individually tally the votes and confirm the election results.

The problem with this and most similar schemes is it allows you to sell your vote.

The thing that protects against vote selling is the difficulty of proving that you were faithful in your execution of the agreement. If I pay you 10$ to vote for the great flying spaghetti monster, I want to know you did in fact vote as instructed, and not for the lazy ravioli monster.

How about this approach? You case a vote. At that time, a cryptographically strong hash of your vote is made and printed out as a receipt. The raw data of your vote remains with a special ID generated at the time of the vote and tied to that receipt.

You can query against the data base to generate your hash. If that hash changes, then possibly your vote changed as well. Or a vote tabulator can query against the data base to get how many votes for each candidate.

But the act of tying a particular vote to particular voters, would require both the receipt and access to the raw data of the database. Similarly, changing the vote tabulation without being caught would require either creating phantom voters or getting hold of those receipts and then changing the vote associated with the receipts you obtain. Neither is impossible, but beyond the reach of much of the would-be vote manipulators out there.

Doh, sorry. Hmm. What if the villain gets their hands on the hash function, can they generate the hash for "I voted for X" and then see whether or not it matches your receipt? Or do they need more than that? The ID? Which is printed right next to the hash on your receipt so that you can look it up yourself? If I'm understanding you, apologies if I'm not.

You can hash as many variables as you want. Social security number, date/time, machine ID, election salt, local salt, etc.

The receipt you keep isn't important, per se. Assuming it prints an anonymous hash that the election people can use to verify scores, is. And the best way to make it "honest" would be after-the-fact random audits plus regular audits of areas with a history of election fraud. Chicago comes to mind. Said audits would ideally find out how folks cheat in elections, that information could

What exactly would you be taking a hash of, however, and how would you verify the vote totals? Are you hashing the ballot serial number + the vote? Just because the election authority has published a hash that matches your, doesn't mean they used your vote in the announced total.

David Chaum developed the punchscan voting system as an end-to-end verifiable election protocol for paper ballots that allows anonymity and verifiability. Scantegrity is a successor s

In other words, voting is inherently broken. Either you vote in a verifiable way for whoever the powers that be want you to vote for, or you do so in an unverifiable way without your knowledge or consent.

As others have already pointed out in the thread, I was providing one realtively benign example of "selling your vote".

Other examples of transactions involving your vote might include (stolen from above in some cases):"Vote this way, and I won't break your fingers""Vote this way and you can keep your job""Hey honey, can I see who you voted for? Uncle Fred didn't win...."

Vote selling happens in many subtle ways. The lack of a way to prove they got what they paid for prevents it. You can offer to buy someo

I have heard of a better, though more complicated solution: You fill out three ballots, so that the selections you want is marked on two, and the selection you don't want is marked on one (a computer is probably needed to check this). Each ballot have a unique serial number. You hand in all three, and get a copy of one of them (it isn't noted which one). The ballots are counted, and 1/3 of the number of ballots is subtracted from all total. All ballots are made public. Everyone can check the count, and thro

The papal conclave of 1903 [wikipedia.org] was very contentious. But perhaps you believe that a Jus exclusivae [wikipedia.org] is a form of divine intervention, and not merely Francis Joseph I playing politics.

It is astounding how many people don't understand the simple paper ballot voting system as it is still applied in many countries and hopefully will for a long time to come. It is based on the same principles as the papal vote, or actually the other way around. The most important aspect is that of public observability of all but the single secret aspect that exists in a proper election, and that single aspect is still completely observable by the person currently voting.

This scales up to millions of voters by distributing the process such that partial results and their propagation to higher levels are observed by local competing groups, and not only isn't electronic voting helping, it's actually destroying the very core of this protocol: The observability.

Excellent simple explanation of the beauty of paper ballots. In any sensible setting (lacking truckloads of armed goons stealing ballot boxes etc) you can't beat paper ballots and scrutineers overseeing the counting. Plus you can actually go back and recount.

Of course voting technology is the least of the problems with our current electoral and government systems.

No, you can't recount, at least not in a meaningful way. Once the ballot boxes and the ballots have left the constant supervision of the observers, it must be assumed that they have been tampered with. It is very important that irregularities are found and corrected right away. Fortunately the protocol makes this easy.

You'll find that countries which follow this simple protocol don't take weeks to publish final results. This is by design.

Many countries keep the papers under observation for a certain time. There may be automatic recounts if the results are close or recounts demanded by parties under various circumstances. Of course once this process is finished and the ballot papers removed from scrutiny then you are right - further recounts are not possible.

The super majority doesn't drop. The drop of the supermajority is one of the things introduced by John Paul II and removed again by Benedict. His reason for removing it was that any simple majority could simply block the election until the supermajority requirement had dropped, thus making it completely irrelevant. So now a 2/3 majority is needed at all times.

So even in one of the oldest and most conservative institutions in the world, the black guy's votes carry as much weight as the white guys' and they aren't repressed in any way and can post their ballot in a timely fashion?

You know, if you're going to go off on republicans and election fraud, need I remind you that in the 2012 election, EVERY SINGLE SWING STATE went democrat. You'd think for certain that at least one of them would have gone republican. That's the definition of swing state, you don't know which way they're going to go, and when you have what was it, 10 of them, odds are one of them should have gone republican, but no. Surely at least Wisconsin should have gone red, but it didn't. So if you're going to thro

Swing states are a historical thing, not a per-election thing. Some years they go one way, some years they go the other. This election, despite the media's attempts at creating a nose-to-nose horse race, was predicted very early and very accurately.

February 19, 2013 North Carolina's Civitas Institute has revealed that the North Carolina State Board of Elections and the Obama campaign conspired to register at least 11,000 people via the internet in violation of state law. This has been confirmed through records requests filed with all of North Carolina's 100 counties. The counting is not yet complete.

and

The technology from Allpoint Voter Services uses remote-control pens to transmit “signatures” over the Internet, according to techpresident.com[iii]. After entering voter information in an online form, the citizen “signs” it with a stylus or a finger. The Allpoint technology records the signature and then transmits it to one of two autopens – one in California, the other in Nevada[iv]. One of the pens transcribes the signature on to a paper voter registration form. Allpoint then mails the documents to local election boards – or is supposed to, a point we’ll come back to.

Seemed to be an interesting and technology-relevant story -- perfect for Slashdot. Not sure why it wasn't carried.

Nice try. When you can come up with an intellectually honest answer as to why voter ID laws always seem to specify types of IDs that non-Republican voters tend on average to be lacking in greater quantities I might even buy it. A citation for Mother Jones saying that this "never actually happens" wouldn't hurt either. The position on the less right wing side in this country, which has always lacked a definable left wing by world standards, is that voter fraud is so statistically rare as to defy the amount of resources right-wingers seem to want to use to fight it. There is no credible evidence which refutes this.

There is an avalanche of evidence and CONVICTIONS for multiple votings, fraudulent registrations, and the like. ACORN registered Mickey Mouse, and voting records showed that he voted.

Mother Jones' assertion that it costs hundreds of dollars to get ID is bullshit. I have done it recently, it is nowhere near the expensive. MJ is cherry picking by getting the most expensive documents in the most expensive states. You will have a BC/COLB unless your parents were retarded and threw it out or you were unlucky

Show the documentation that Mickey Mouse voted. This is false. The Mickey Mouse thing is legitimate. It's been distorted like the McDonalds coffee case. If you hand somebody a registration form, and they put Mickey Mouse on it, BY LAW, you are not allowed to discard it. You MUST turn it in. What most groups like ACORN did was segregate these suspicious registrations before turning them in. Legally they had no choice. It has become a right wing talking point that they were all eager to register Mickey Mouse. This is false. Quit believing email forwards from your grandparents.

You act as though ACORN has no blame, when a quick Google (no really... I didn't know anything about this until now) reveals that several dozen ACORN employees and ACORN itself have been convicted of crimes related to voter registration fraud.

Just like any crime, it's not how many we catch that worries me, it's how many have gotten away with it.

An Atlanta-Journal & Constitution article (can't find a link) from last year pointed out that in the years following Georgia's new voter ID law, Hispanic and Black voting participation had increased far more than would be expected from population increases, in direct contravention to the claims of the mostly-Democrat objections to the law.

When you can come up with an intellectually honest answer as to why voter ID laws always seem to specify types of IDs that non-Republican voters tend on average to be lacking in greater quantities I might even buy it.

Simple, they can't get one. They came from a place where the records were destroyed, or never existed in the first place. This is not as rare as many people might like to think - it's been a fact of recent civil wars in my lifetime, that one side systematically destroyed all birth records of the other.

There are people who can't afford to fly, who buy their cigs and alcahol off a younger family member, have no credit cards or bank accounts (using just the check cashing place and paying an exorbitant fee th

This is not as rare as many people might like to think - it's been a fact of recent civil wars in my lifetime, that one side systematically destroyed all birth records of the other.

We, uh, haven't had a whole lot of civil wars in the US since the birth of anyone currently living here. Yes, we've all heard about the sisters from middle-of-nowhere Appalachia who never left their home valley for their first 40 years of life and now can't prove themselves as US citizens. And yes, I'd still have to call that pretty damned rare.

Their lives are already greatly limited and with the aggressive work of republican groups screaming about vote fraud, we can ensure that they lose even the right to vote in our lifetime, since they certainly would have voted democrat anyway.

Does that bother you? I mean, that people (on both sides of the aisle) automatically assume voter ID laws disproportionately affects Democrats? It basically shouts to the world, "We have such a strong association as the party of complete losers, of illegals, of 3rd gen welfare dynasties, that we just assume all the human trash in our society will vote blue".

And FWIW, I don't vote red. You can't just assume that everyone belongs to the GOP who happens to believe we should verify citizenship before allowing people to exercise the core right of that citizenship. That everyone who believes in fiscal responsibility sides with the misogynistic religious whackjobs on the right. That "I disagree with you" automatically makes me a member of "the enemy".

Does that bother you? I mean, that people (on both sides of the aisle) automatically assume voter ID laws disproportionately affects Democrats?

No. It's not a wild hypothesis... people of lower means are more easily deterred from accomplishing an objective when administrative hurdles are introduced. You seem to assume that these politicians are ignorant of demographics and voting patterns and so forth... that's nonsense.

It basically shouts to the world, "We have such a strong association as the party of complete losers, of illegals, of 3rd gen welfare dynasties, that we just assume all the human trash in our society will vote blue".

No, it shouts to the world that lower- and working-class people are part of the Democratic base. I'm sure that includes many of the losers/illegals/trash you mention, but I'm not going to paint 50% of Americans [depending on what de

That's pretty rare. And my state went to great lengths to cover all of those, with a help center for those fringe cases. And if they didn't use the help center, they could cast a provisional ballet.

You make a lot of assumptions. That only Republicans want to limit voter fraud, that folks on the lower socioeconomic scale are too stupid and/or helpless to get ID if they want it, that lower socioeconomic scale folks are guaranteed Democrat votes, etc.

Because everyone lives the way you do, and if they don't, they don't count.

Certain activities in our society come with prerequisites. If you want to drive, you need a driver's license. If you want to hunt, you need a hunting license. If you want to work as an MD, you need a medical license.

No, everyone does not live the way I do. But if they want to live the way I do - And that includes voting - Then they need to meet the associated prerequisites. If you can't prove you exist as a legal US citizen

I can't see how their system would hold up when those who don't share the same intrinsic values and contradict the prevailing group think are included in the vote. Oft times with Catholics, as well as other sects, the idea is to fit the data to mold, not the mold to the data.

As Mr. Schneier points out, this doesn't scale. There is no way you could do a US Presidential election this way.

I also think it relies some on the autonomy of the Cardinals, which wouldn't necessarily map well to a civil election. Suppose that 100 people got together to elect (say) a town mayor using this protocol, and one of them was the employer of most of the rest. Would this be sufficient to prevent him from influencing or even coercing his employees to vote his way?

As Mr. Schneier points out, this doesn't scale. There is no way you could do a US Presidential election this way.

This is not unique, not even very unusual. What we are seeing here is members of a parliament voting for a prime minister. That happens in a hundred places across the world. Why doesn't Schneier analyze whether you can "hack the vote" in the House of Lords?

If you do want to compare it to the US, this compares to a vote in the Senate, and is somewhat much smaller than a vote in the House of Representatives.

This doesn't quite compare to votes in either the House of Lords or the Senate. I believe that the votes in neither establishment are secret. Both you (as a citizen) and they (as a Lord / Senator) can check the way they voted.

The Cardinals' vote for Pope is different, in that I think it is meant to be secret.

Why doesn't Schneier analyze whether you can "hack the vote" in the House of Lords?

Because the Lords don't elect the Prime Minister?

Doesn't matter, as long as they vote on something.

The point is that this is a body of, what, about seven hundred people, most of whom know each other, and hence has similar dynamics to the voting of the College of Cardinals, unlike the United States electorate of about two hundred million people.

Can you "hack" a vote in the House of Lords? In what way would that be different from hacking the vote in the College of Cardinals?

As Mr. Schneier points out, this doesn't scale. There is no way you could do a US Presidential election this way.

Actually, that is close to how the US Presidential election really does work. The President isn't elected by the people, but rather by the Electoral College, a group more similar in size to the College of Cardinals than to the entire US population. They have very well defined rules as to how to vote, just as the papal conclave does. And so far, it seems to have worked pretty well. Many have proposed abandoning the electoral college system, but this article provides some good reasons why it should be ret

Get your head out of the clouds and come back down to earh. The electoral college does not have meaningful autonomy. The college of cardinals does, at least when it comes to papal elections.

However, it should be noted that the pope chooses the cardinals. Since only cardinals under the age of 80 can vote, the chances that the new pope will make a political break with his predecessor are somewhat slim.

Maybe. Scale it up in steps. Groups of 12 citizens who are known to each other get into rooms to conduct a vote. One is chosen to take their group's decision to the next level, where 12 group representatives who know each other get together to vote. And so on...you'd only need seven levels of voting to reach the final 12 representatives in the current US voting population.

OK, step back. Take a deep breath. The pope is sort-of oughtta be elected on the basis of what the Catholic god (or maybe Jesus, it ain't clear) tells the cardinals is the right choice. So how the fuck could a vote that's determined by the Almighty(s) possibly be rigged by mere mortals?

Why focus on the voting mechanism? It's like testing the quality of a democracy by looking at the voting procedure in the house of commons. The weakness, as is always the case, is human accountability. This is just as true within a theocratic oligarchy as it is within a representative democracy.

Anyone who thinks that powerful interests have no sway in the election of a pontiff is uneducated in history and blissfully naive.

Because the whole article was about whether the vote could be hacked, not whether the voters could be influenced. Of course the vote can be affected, as has happened many times in history, but that's not what's being talked about here. This is about physical hacking of the process. From the very first line of TFA:

As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote?

Considering that this voting process has evolved in the face of thousands of years of intrigue and backstabbing that makes even politicians look like choirboys, why is this a surprise? The evolutionary pressure was most certainly there.

And of course this analysis overlooks the most reliable way of rigging an election, and one that is most certainly practiced here: hand-picking the electorate.
Who appointed those cardinals in the first place, eh?

"And of course this analysis overlooks the most reliable way of rigging an election, and one that is most certainly practiced here: hand-picking the electorate. Who appointed those cardinals in the first place, eh? "

That can be done on a large scale, too. It's known as gerrymandering and is done by both parties. It's especially common for congressional districts. If you look at the national map, you see all kinds of bizarre shapes designed to give one party or the other a majority. They don't follow

A lot of gerrymandering is required by the Voting Rights Act in order to create minority majority districts so that minorities can be guaranteed to have representation. Simply putting 51% of a minority in a district is not sufficient either. That's a fairly significant contributing factor to the oddly shaped districts. Given the way minorities generally vote, this favors Republicans.

Elections like this don't get manipulated during the ballot-casting, because they're not decided during the ballot-casting. Just like the decisions of a legislative body, the vote itself is merely the result of a ton of secret politics leading up to it.

When you win a battle, celebrate that you moved the front. Don't fret that you didn't win the war yet. It is good to lock a door and make a burglar noisily kick it in, even if he still gets in.

The process changed the place. The reason elections are won by pre-election dealing, is that we have (mostly) succeeded at making it sufficiently hard to win by ballot box hacks. Pre-election deals are relatively expensive compared to ballot box hacks.

open systems conducted within a known group make voting fraud much harder.

doesn't anyone remember the Chicago political machines? if the group becomes corrupt group control is a bad thing and remember the voting all happens in front of that group ONLY no outsiders are told the vote only the result

It's not as if there are any candidates who would promote a human rights agenda that focuses on equality for ALL people, regardless of race, gender, or sexual orientation. The problem is, all of these guys running for pope are pretty much the same.

That's the key, and makes for clean elections - I've observed elections in the UK, Kosovo and Ukraine.

This tends to mean manual counting of physical pieces of paper that have been marked by the voter by hand, as that's vastly easier for lay people to observe and verify than hidden things going on inside computers or other machines. (I'm not saying that proper independent observation by lay people of what goes on inside a machine isn't possible, just that nobody has worked out how to do it yet.) If I'd observed an election involving machines I would have had to write in my report that I had no confidence in the outcome of the election because I had no visibility of what was going on inside the machines.

The big problem with the cleanliness of the UK voting system is postal votes - and this is in my view precisely because this is a part of the process which is *not* independently observed - you don't know for sure who applied for the postal ballots, who acquired them, or who filled them in under what pressure.

And it can still be corrupted. By buying the votes before hand. In fact, back home, there was one very famous case of vote buying, and the people went to their religious leader saying they were offered $150 for their votes. He told them to take the money, but once inside the voting booth, to vote their conscience.

Exactly. The problem with buying votes is verifying that you've got what you've paid for. With a vote placed in the ballot box by the voter there is no way to achieve this... but there is a way to achieve it with postal votes, which is one of the things wrong with postal votes.

I read a really neat paper about the implications of the Doge election protocol to distributed systems. There the focus was more on preventing bribary and less on more general fraud, but it was a pretty cool system. [pdf] www.hpl.hp.com/techreports/2007/HPL-2007-28R1.pdf

The book "Sex Lives of the Popes" documents numerous instances of corruption in the election process. During the 10-11th century, one mother and daughter pair got 7 popes onto the papal chair, by having affairs with, or giving birth to them.

You can hack it when the ballots are being counted. How? Because it's unclear if the scrutineers are really randomly chosen.

What is the process of selection? Do they draw the names out of a hat? Easy: the person picking the names can substitute any name they want. They just need 3 scruitineers, and they can tally the votes any way they'd like.

Taking a step back, how are candidates selected? You don't have to hack the process if you manipulate the selections or compromise the candidates.

... rent (or own as I do) the movie "The Shoes of the Fisherman" from 1968. It shows in detail the process of a fictional papal conclave including the steps the cardinals take to ensure fairness. Quite revealing.

On a completely different subject, for those movie geeks of you out there who love "2001: A Space Odyssey" as I do, this film is where Alex North recycled some of his rejected score for 2001.

>... rent (or own as I do) the movie "The Shoes of the Fisherman" from 1968.

Or be *really* drastic and read the book . ..

(Btw, the elected bishop in that was closely patterned after the actual Ukrainian Catholic leader who was imprisoned by the Bolsheviks, and reputed to have been the runner up when Pope Paul was elected. The book was written before Vatican II, but significantly foreshadowed some of its events . ..).